Attempts to use the 5250 emulator provided by iSeries Access for Windows or iSeries Access for Linux to connect a remote console to an HMC may fail. Errors such as cwbco1048, cwblm0018 or cwblm0040 may indicate a downlevel version of the emulator or a configuration error.
Resolving the problem
The 5250 emulator provided by iSeries Access for Windows and iSeries Access for Linux products can be used for remote 5250 console connections through an HMC. One common error is cwbco1048 - A time-out occurred trying to connect to the iSeries. Another group of errors is reported as cwblm0018 - Failure, server could not understand the request. rc2= <xxxxx> HMC <y> from the Microsoft Windows client, cwblm0040 - Unknown failure. mainRC= <xxxxx> rc= 0 rc2= 0 from the Linux client, and cwbco1040 - Using remote port lookup mode: Always use remote server mapper. The following is a list of common errors and how they can be resolved.
CWBCO1048 and CWBCO1040 Errors
The CWBCO1048 error occurs if a downlevel emulation client is used. CWBCO1048 or CWBCO1040 may occur if the user profile specified on the connection is something other than Q#HMC. Verify that the version of iSeries Access being used is in the list of supported emulators. The list is available in the IBM eServer Information Center topic Connecting to a 5250 console remotely at the following Web site:
The other possible cause is that user profile Q#HMC has not been properly configured as the default user in the workstation profile. It must be supplied in the workstation configuration and not on a sign on dialog prompt. Moving or copying the iSeries Access for Windows workstation profile file (extension .ws) will cause the loss of the profile's default user information. Workstation profiles configured for HMC access use a second file to store the user profile information. In addition to the standard workstation file that uses the file extension .ws, there is a second file with extension .cae. The two files must always reside in the same directory. For further information on configuring the iSeries Access for Windows product, refer to Rochester Support Center knowledgebase document N1015900, IBM iSeries Access for Windows PC5250 Configuration for HMC Remote Console. To link to document N1015900 immediately, click here .
Note: The cwbco1048 error may take several minutes to surface when using the Linux client. A minute or more after attempting to start the emulation session, a "New 5250 Session" window will appear. This window may appear to be non-responsive. After a few more minutes, the user will be prompted for a sign-on. A few minutes later the error cwbco1048 appears. The length of the delay is determined by the default socket settings used by the TCP stack.
The error cwblm0018 with rc2= <xxxxx> HMC <y> indicates that the user profile of Q#HMC was used but that the emulator was unable to obtain a connection or emulation license from the HMC. The HMC text in the error message indicates that the user profile Q#HMC was entered correctly and the emulator attempted to make a special HMC connection. <xxxxx> is the return code from the internal error. <y> represents which step failed in the connection process. Step a is validation of the port and user profile. Step b is the actual network connection. When the step is b, <xxxxx> is usually a standard socket return code. Steps other than a or b indicate a license error between the emulator and HMC. Verify the HMC and emulator are at the supported service level.
The error cwblm0040 - Unknown failure. mainRC= <xxxxx> rc= 0 rc2= 0 is the Linux emulator's equivalent of cwblm0018. The mainRC (<xxxxx>) is usually the underlying socket error.
|Linux:||cwblm0040 - unKnown Failure. mainRC= 10061 rc= 0 rc2= 0|
|Windows:||cwblm0018 rc2= 10061 HMC b|
This indicates that the host or TCP/IP address is up and running but rejected the connection. The usual cause is that an attempt was made to connect to an IBM i5/OS Telnet server rather than the actual HMC using the profile Q#HMC. The 10061 is a winsock error indicating a remote host rejected the connection.
|Linux:||cwblm0040 - unKnown Failure. mainRC= 11001 rc= 0 rc2= 0|
|Windows:||cwblm0018 rc2= 11001 HMC b|
The 11001 is a socket error indicating that the host name was not found. Verify the HMC host name is correct and exists in the DNS or local host table. Attempt to connect using the TCP/IP address.
|Linux:||cwblm0040 - unKnown Failure. mainRC= 10060 rc= 0 rc2= 0|
|Windows:||cwblm0018 rc2= 8411 HMC b|
The 8411 is an iSeries Access emulator time-out (CWB_USER_TIMEOUT). 10060 is a socket layer connection time-out. Both imply that the host was located but no response was received to the connection request. This implies the HMC is powered off or unreachable due to the network configuration or a firewall restriction. The firewall restriction could be an outbound port restriction on a local firewall, a firewall in the network, or the firewall on the HMC. Verify that each firewall is configured to allow the required port(s): 2300 for non-SSL, 2301 for SSL. Refer to the eServer Information Center for information on configuring the HMC firewall.
|Windows:||cwblm0018 rc2= 8413 HMC <x> where <x> is any letter c to h|
<x> = c
"c" implies a time-out waiting for the HMC console server to initiate the Telnet negotiation.
This error is typically seen after a restart of the HMC due to time needed for the 5250 proxy to fully initialize. In later versions of the HMC (7.7.3 or later), it typically takes 20 to 60 minutes after a HMC restart before the console is ready. Earlier versions typically take 5 to 15 minutes. To speed up the initialization, you should generate additional entrophy (randomness) on the HMC by running some tasks on the local HMC that generate CPU or network use.
In HMC Version 7, a possible cause of a persistent failure is a problem with the HMC certificate/keyring files. The problem can be resolved by generating a new self-signed certificate and rebooting the HMC. The error will also occur when using an imported signed certificate (defect 681248). That issue is fixed in 7.3.5 and later. Version 7.3.4 and earlier need to circumvent the problem by using a self-signed certificate.
<x> = d to h
Values of "d" to "h" imply a network time-out after the connection has been established and negotiation started. The usual cause is a network error. Ensure that the duplex and line speed settings are correct. Check the hub, cable and other network components.
|Windows:||cwblm0018 rc2= 8405 HMC c|
One possible cause of this is attempting an unsecure connection (port 2300) on a HMC that requires secure connections (i.e "NIST" mode). To check the HMC security level run lshmc -r. If the security setting shows "security=nist_sp800_131a" then un-secure connections are not allowed. Users must use a secure connection that supports TLS 1.2. For further information on configuring a secure connection see
Configuring IBM i Access for a Secure Remote 5250 Console Connection
or Configuring ACS for HMC remote console
|Windows:||cwblm0018 rc2= 25406 HMC b|
One possible cause is using an older version of IBM i Access for Windows (which performs client hello over SSL2) to a HMC that requires TLS (and has no support for SSL Vx). Upgrade IBM i Access for Windows to a newer version or use ACS with JRE7 or later. For further information on configuring a secure connection see
Configuring IBM i Access for a Secure Remote 5250 Console Connection
or Configuring ACS for HMC remote console
|Linux:||cwblm0040 - unKnown Failure. mainRC= 31 rc= 0 rc2= 0|
|Windows:||cwblm0018 rc2= 31 HMC e|
This error occurs when user profile Q#HMC is used with a configuration that attempts to obtain an 5250 HMC console license from a non-HMC Telnet server.
|Windows:||cwblm0018 - Failure, server could not understand the request. rc2= 25420 HMC b|
This error is generated for SSL connections when the server refuses to negotiate the certificate. Typical causes of the error are:
The HMC is not configured for SSL connections;
The HMC was not rebooted after installing the private keyring file.
|Windows:||cwblm0018 - Failure, server could not understand the request. rc2= 25410 HMC b|
This error is generated on SSL connections when the iSeries Access licensing receives an invalid reply from the server. One common cause is entering the TCP/IP address for an operating system partition rather than the HMC. If the operating system as-vcons server (port 2301) is active, it will cause this error.
|Windows:||cwblm0018 - Failure, server could not understand the request. rc2= 25414 HMC b|
This error occurs on SSL connections when the server certificate is not trusted. This usually occurs when the HMC certificate authority is not installed into the certificate database for the emulator. Export the public key ring file from the HMC, and use the IBM Key Management utility to place the certificate authority in your local key database. For further information on configuring iSeries Access for Windows, refer to the Rochester Support Center document for HMC version 7:
N1018887, Version 7 HMC: Configuring SSL Remote 5250 Console Connection
Version 7 HMC: Configuring SSL Remote 5250 Console Connection
For version 6 see document N1015694, HMC Remote 5250 Console SSL Configuration for iSeries Access for Windows Emulator.
Verion 6 - HMC Remote 5250 Console SSL Configuration for iSeries Access for Windows Emulator
Another cause of the error is if the private key used does not match the public key. First, reboot the HMC. This restarts the 5250 proxy with the current private key. If the problem is not resolved, delete, then re-import the public keyring to ensure it matches the private key.
In Version 6 and earlier, this error will also occur if the HMC Certificate Authority distinguished name is set to the HMC fully qualified host name. The distinguished name can be viewed on the local HMC by logging in as hscroot, expanding System Manager Security, clicking Certificate Authority, and then viewing "Certificate Authority distinguished name" under "Status". If the name displayed is the same as the qualified host name ("myhmc.mycompany.com" rather than "WebSysMgr CA-1 myhmc.mycompany.com"), it must be corrected before PC5250 will recognize the certificate authority. This can also be verified using the IBM Key Management utility and comparing the issuer name to the subject name.
The problem can be resolved by using the "Unconfigure Certificate Authority" option and then reconfiguring security. When configuring the Certificate Authority, accept the default distinguished name of "WebSysMgr CA-1 host.domain".
|Windows:||cwblm0018 - Restricted by Policy. rc2= 8500|
This error can occur when the user profile that has logged into Windows does not have enough authority to perform an internal function (for example, to read/write a registry, perform a port lookup, and so on). A quick test for this problem is log in to Windows as the administrator (not only a user that is a member of the Administrator group) and attempt the connection again. If successful, receiving this error message is the result of the administration on the PC (for example, Windows).
Emulator <lightning bolt>658 "Local socket trying to connect to remote server/host <xxxx> using port <xx> infinitely...
This error is reported by the emulator. It implies that iSeries Access successfully obtained a license from the HMC but the port specified on the emulation session is incorrect. Verify that the port is 2300 (non-SSL) or 2301 (SSL).
Emulator hang "Secure Socket is connecting through TLS1.0 to remote server/host <xxx> using port 2300"
The emulator appears to hang with the message above shown in the status bar. This implies that emulator is configured for SSL and that iSeries Access successfully obtained a license from the HMC, but that the port specified on the emulation session is 2300 (non-SSL). Verify that the port is 2301 (SSL). The emulator session may also fault.
Blank screen "Connected to remote server/host <xxx> using port 2301"
The emulator connects but displays a blank screen with the cursor in the upper left corner. If the port is 2301 this usually implies that the emulator is not configured for SSL but that the port specified on the emulation session is 2301 (SSL).